Data Control in the Cloud

Whether your credit union is already using the cloud or is planning to during the next year, data security should be one of your main concerns.

After managed security services, handing off your data security to someone else is paramount for anyone involved in securing a credit union's data.

Many credit unions are moving their email to cloud based hosted solutions – Google, Microsoft, and many others offer this. Your workstations will connect to a remote server using an encrypted channel to download e-mails.

Virtually, you have your own server and your own disks. But physically, your data is stored in the same disk with many other companies' data and emails.

Some consideration must be given to how this data is protected, and not only from hackers.

Assume you have your own server in house. When the email is stored on that server, it's under your complete control. Assume that one of your employees does something that requires law enforcement investigation and for that reason you need to hand out your data.

If a law enforcement officer shows up at your doorstep without a court order, you can (and likely will) decline to hand over any data. You are not obliged in any way until there is a court order.

Assume now that you are hosting that data in the cloud; say your email is hosted with Google. Do you really think that they will take care of your data the same way you would? I would hope so, but I must be skeptical; after all, why would they anyway?

Now think of that same data stored on that same disk, sharing space with another company. Someone at that company is investigated and their data needs to be given to the authorities.

Law enforcement does not take "copies". They take originals; so they show up and take the disk. So now your data is on a disk that is being used in a legal case against another company you have no ties with whatsoever; it is no longer stored in the privacy of that data center. You don't even know where it is and who is reading it anymore!

And what if the legal case if coming from another country? What if that disk is being handed over to Scotland Yard? Now your data is not only on a disk used in a legal case that is not yours; but is not even in the U.S. anymore! And you have no control at all!

Is this something you should be worried about? It depends on how sensitive that data is, how damaging it would be if it ends up in the wrong hands – be that the competition or the public!

The answer can't be the same for every credit union; this is a consideration each credit union needs to make based on several parameters, but ultimately the most relevant of all is "what happens if the data ends up in the wrong hands"?

That question is the general question of security and is the reason why we have security in the first place. Moving your data to a hosted solution only adds to the uncertainty surrounding the security of your data, as it adds another layer of possible loss.